I'm really shocked to read this, its appalling that information about vulnerable people is so freely available. Good on you Keith for drawing attention to this situation. Happy to support independent journalism.

I'm also aghast at the implication that any WINZ / MSD staff member can see sensitive information held by another unit. Have they no concept of information security? Do they not care that there have been prosecutions of their staff for committing fraud based on the internal information, and still done nothing to do basic folder / directory security?

Crimes Act s252 (1) "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system."

Did you get any legal advice before a) breaching the security of the MSD systems, b) putting up this post?

Thomas, I would love to see them go after him for this. LOVE TO. He may well have technically broken the law but public opinion if they tried to charge him for it could get very messy.

And yeah, I've seen statistics that suggest a significant amount if not the majority of benefit fraud is committed by MSD staff, so the fact that the staff can access this stuff is pretty horrifying in and of itself.

A) What Thomas said. My immediate reaction is "wow Keith you could end up in a lot of trouble". Bravo!

B) I'm sadly not very surprised. I'm surprised the kiosks can see the data, but I'm not surprised by the shitty internal security. These departments spend hours and millions making sure their users can't access Twitter, but couldn't give a crap if a file server is one click away from unauthorized access.

I cannot believe this. This is sysadmin 101. What the fuck were they thinking?

My experience with VMs is limited but I think the data you show is significant, especially the clear text password. Without command line or explorer access, I think you'd have had difficulty launching them but you could possibly have copied them to a large enough USB key for off-site study. But FFS their firewall is a virtual server on the corporate network??? Surely not!

Agree Nigel, I don't know that you can really call it breaching the servers! He went to the File menu of a public computer and clicked Open File. Mega hax there. If he wasn't supposed to have it, surely they wouldn't have put it there, as I'm sure plenty of lawyers would argue.

They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls.

When you phone the W&I call centre, there's always a message that says calls may be recorded "for our purposes". I assume those sound files are the result of such a recording. I'm still very intrigued to know what these 'purposes' are.

BTW, you know what's almost as scandalous as this network sharing issue? The W&I kiosks block access to Google Docs/Drive, which surely is an extremely valuable tool for a job seeker with no home computer.

Wow! In theory you could have copied the hyper-v folders and stood them up with very little effort on any other machine. I'd like to assume they have some form of encryption on the network/virtual disks to stop that happening but it appears that's not the case.

This is IT security 101. You can have them all connected to the corporate network (although why you wouldn't have them in their own workgroup/domain is beyond me) you just make sure the user account associated to the kiosk machines can't see anything other than itself and a printer. The fact that the network and it's shares are open internally is extremely poor work on the sys admins behalf.

If I'm not mistaken the kiosk machines have full access to the internet too which could be exploited pretty easily. As I'm typing I realise that this is probably how the files were copied off the machine.

Phone recordings are used for quality assurance, training and in investigations of complaints or fraud. It's pretty much as you'd expect from any call centre. Remember, you are entitled to request a copy of a recording of you via the Privacy Act.

From the NBR article this evening it states - "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after. " - so in theory someone has looked at these kiosks twice (at least) and thought they were all good.